Threat Detail

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Minimum Engine

5600.1067

File Length

17,408 bytes

Description Added

2002-12-23

Description Modified

2002-12-29

Malware Proliferation

The risk assessment of this threat was updated to Low-Profiled due to media attention.

This worm contains errors, which prevent it from replicating on WindowsNT/2K/XP systems.

The worm attempts to spread over network shares by copying itself to the WINDOWS directory of remotely accessible machines as MQBKUP.EXE, utilizing a WIN.INI run key to load the worm at startup.

Local Infection

When run on the victim machine, the worm copies itself as %WinDir%\mqbkup.exe. To avoid being run twice the worm creates a mutex "mkbkup61616" (if such mutex already exists the worm process exits). The following Registry key is set to hook system startup:

Significant NetBIOS traffic (UDP) is caused by this worm. One of the early indications of this worms activity was the increase in port 137 hits on firewalls. This traffic is caused by the worm issuing WINS queries across contiguous IP ranges. The spreading mechanism observed in testing is outlined below:

the worm issues WINS query (to retrieve NetBIOS name).

the worm then tries to establish a NetBIOS session to the remote machine.

if successful the worm attempts to spread via connecting to \\%machinename%\C using SMB (Server Message Block) commands (ie. requiring open 'C' share on remote machine). This worm can infect password-protected shares if the security patch is not installed.

Please Note: if this patch is installed, but the share is not password protected, the worm will still spread to the machine.

In spreading, the worm attempts to copy itself to \Windows\mqbkup.exe on the remote machine.

A Run key is added to WIN.INI on the remote machine, to run the worm at startup. For example:

Run= 'C:\WINDOWS\MQBKUP.EXE'

The worm attempts to spread to all machines on the local subnet in the above manner, (working through the subnet increasing the last octet of the IP address for each WINS query).

Subsequently, in testing the worm was observed to follow the above mechanism for machines in the IP range A.B.(C+1).0 to A.B.(C+1).255 (where A.B.C.x is the local subnet).

Following that, the mechanism was repeated continually, with an apparently random starting IP address (for example 16.13.145.5 -> 16.13.145.255). Once the final octet is incremented to 255, a new initial starting IP is queried.

The worm attempts drops a trojan, C:\MSLICENF.COM (detected as QZap248 with the 4240 DAT files), which can overwrite the boot sector, delete the CMOS, and delete the contents of the hard disk. Reference to this file is placed in the AUTOEXEC.BAT file. It then restarts the computer by dropping the file BOOT.EXE (detected as Reboot-V the 4240 DAT files), and running it. Upon reboot, the .COM file is executed. The following message is displayed.

NOTICE:

Illegal Microsoft Windows license detected! You are in violation of the Digital Millennium Copyright Act!

Your unauthorized license has been revoked.

For more information, please call us at:

1-888-NOPIRACY

If you are outside the USA, please look up the correct contact information on our website, at:

www.bsa.org

Business Software Alliance Promoting a safe & legal online world.

Security Patch for 'Share Level Password' Vulnerability (MS00-072)

To protect against reinfection by W32/Opaserv.worm (and similar such network aware viruses) ensure you obtain and install this patch from Microsoft. It is relevant to the following operating systems:

Microsoft Windows 95

Microsoft Windows 98

Microsoft Windows 98 Second Edition

Microsoft Windows ME

To read more information concerning the exploit and download the relevant patch, click here.

It is also recommend that Win9x/ME users unbind File and Print Sharing from the TCP/IP protocol.

On Windows 9x/ME, right click on Network Neighborhood on the Desktop and select properties

Uncheck "File and Print Sharing for Microsoft Networks" if it is checked

Click "OK" and "OK" again, reboot when prompted.

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Note: The virus alters the WIN.INI file on remote systems after it copies itself to that system. Therefore, VirusScan may detect and remove the virus before the WIN.INI change occurs. In the scenario users may see an error message that the file SCRSVR.EXE (or other file names) cannot be found when starting Windows. To fix this, follow these steps:

Click START - RUN

Type WIN.INI and hit ENTER

Locate the run= line and remove the necessary filename after the = sign
(ie. C:\WINDOWS\SYSTEM\SCRSVR.EXE)

Click FILE - EXIT and select YES when prompted to save your changes

In the event that the destructive payload activated, you may need to replace your boot sector with a valid one, contact your computer manufacturer to restore CMOS settings, and restore data, erased from the disk, from backup.